Project

General

Profile

Bug #11367

Keystone PKI token expiration is not enforced

Added by Anton Aksola over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
Target version:
-
Start date:
04/10/2015
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
hammer, firefly
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

Our customer reported that their tokens do not seem to expire.

It seems that there is no expiration check after decoding a PKI token. While there is an expiration check in the token cache class it has no effect when dealing with PKI tokens.

I have made a small patch against firefly and it seems to correct the issue in our environment:
https://github.com/aakso/ceph/tree/wip-rgw-pki-token-expire-firefly


Related issues

Copied to rgw - Backport #11721: Keystone PKI token expiration is not enforced Resolved 04/10/2015
Copied to rgw - Backport #11722: Keystone PKI token expiration is not enforced Resolved 04/10/2015

Associated revisions

Revision 2df06939 (diff)
Added by Anton Aksola over 3 years ago

rgw: always check if token is expired

Fixes: #11367

Currently token expiration is only checked by the token cache. With PKI
tokens no expiration check is done after decoding the token. This causes
PKI tokens to be valid indefinitely. UUID tokens are validated by
keystone after cache miss so they are not affected by this bug.

This commit adds explicit token expiration check to
RGWSwift::validate_keystone_token()

Signed-off-by: Anton Aksola <>
Reported-by: Riku Lehto <>

Revision d4ef5566 (diff)
Added by Anton Aksola over 3 years ago

rgw: always check if token is expired

Fixes: #11367

Currently token expiration is only checked by the token cache. With PKI
tokens no expiration check is done after decoding the token. This causes
PKI tokens to be valid indefinitely. UUID tokens are validated by
keystone after cache miss so they are not affected by this bug.

This commit adds explicit token expiration check to
RGWSwift::validate_keystone_token()

Signed-off-by: Anton Aksola <>
Reported-by: Riku Lehto <>
(cherry picked from commit 2df069390ea3bbcfbab5022750e89f51d197cc11)

Revision 9dfef600 (diff)
Added by Anton Aksola over 3 years ago

rgw: always check if token is expired

Fixes: #11367

Currently token expiration is only checked by the token cache. With PKI
tokens no expiration check is done after decoding the token. This causes
PKI tokens to be valid indefinitely. UUID tokens are validated by
keystone after cache miss so they are not affected by this bug.

This commit adds explicit token expiration check to
RGWSwift::validate_keystone_token()

Signed-off-by: Anton Aksola <>
Reported-by: Riku Lehto <>
(cherry picked from commit 2df069390ea3bbcfbab5022750e89f51d197cc11)

History

#1 Updated by Yehuda Sadeh over 3 years ago

The fix looks correct. Can you send a pull request against the ceph upstream repository, and add a Signed-off-by tag to the commit?

#2 Updated by Loic Dachary over 3 years ago

  • Status changed from New to Pending Backport
  • Backport set to firefly

#3 Updated by Anton Aksola over 3 years ago

#4 Updated by Loic Dachary over 3 years ago

  • Status changed from Pending Backport to In Progress
  • Regression set to No

#5 Updated by Anton Aksola over 3 years ago

I tested the patch against master snapshot in our QA and it seems to work. Going to resubmit a merge request soon.

#7 Updated by Yehuda Sadeh over 3 years ago

  • Backport changed from firefly to hammer, firefly

#8 Updated by Yehuda Sadeh over 3 years ago

  • Status changed from In Progress to Pending Backport

#9 Updated by Yehuda Sadeh over 3 years ago

  • Assignee set to Loic Dachary

#10 Updated by Yehuda Sadeh over 3 years ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF